Both security vulnerabilities are yet to be patched. There are a few workarounds for the bugs. Read on to find out more.
Security researcher Alexander Klink revealed the Java bug. Blindspot security researcher Timothy Morgan went into more details about the Java flaw and found it in Python as well.
The FTP protocol injection flaw could be used to start a classic mode FTP connection which has been known to be insecure but is still supported by many commercial firewalls by default.
The flaw concerns how Java and Python handle FTP links. For Java, it was found that the XML eXternal Entity (XEE) mishandles FTP connections. Attackers can craft a link that makes Java and Python code interpret parts of it as new commands, tricking a firewall into letting TCP connections from the internet to a vulnerable host's system on any "high" port (1024-65535). You can find more details on Klink's blog about this.
The result is that you can send unauthorised emails, even with attachments, from Java applications through the SMTP protocol, which shares a lot of similarities with FTP. According to Morgan:
In the case of Java, this attack can be carried out against desktop users even if those desktop users do not have the Java browser plugin enabled.
A nearly identical vulnerability exists in Python's urllib2 and urllib libraries.
Python's built-in URL fetching library (urllib2 in Python 2 and urllib in Python 3) is vulnerable to a nearly identical protocol stream injection, but this injection appears to be limited to attacks via directory names specified in the URL.
The bugs could facilitate man-in-the-middle attacks, server-side request forgery, parsing malicious JNLP files and XXE attacks. Morgan ran limited tests against Palo Alto and Cisco firewalls and concluded that "a significant percentage of production firewalls in the world are susceptible to attack through FTP protocol stream injections".
Morgan recommends that the general public do the following to prevent themselves from falling victim to attacks that use the Java and Python vulnerabilities:
- Consider uninstalling Java from all desktop systems. If this is not possible due to legacy application requirements, disable the Java browser plugin from all browsers and disassociate the .jnlp file extension from the Java Web Start binary.
- Consider requesting an update to fix these issues from Oracle and the Python Software Foundation. Be sure to apply security updates to all versions of Java and Python, including those running on application servers and appliances.
- Disable classic mode FTP in all firewalls, allowing only passive mode.